Remove policy for self-service password changes

The self-service password API was left intentionally unprotected in a change during the stable/ocata cycle: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1 The default policy was not removed from the same config and as a result it was migrated into code during the policy-in-code work. This isn't necessary since it's not used to protect anything. Policy should still be enforced on administrative password resets, but that is done using the `update_user` API. Change-Id: I431f5ef9d6d5d689a06736640d22997fbddb869c Closes-Bug: 1705485
2017-07-20 20:45:42 +00:00 · 2017-07-20 20:45:42 +00:00 · 77bf1ad0b8
commit 77bf1ad0b8
parent d31d063412
4 changed files with 20 additions and 9 deletions
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@ -43,7 +43,6 @@ identity:list_users                                        GET /v3/users
 identity:create_user                                       POST /v3/users
 identity:update_user                                       PATCH /v3/users/{user_id}
 identity:delete_user                                       DELETE /v3/users/{user_id}
-identity:change_password                                   POST /v3/users/{user_id}/password

 identity:get_group                                         GET /v3/groups/{group_id}
 identity:list_groups                                       GET /v3/groups
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -128,7 +128,6 @@
    "identity:update_policy": "rule:cloud_admin",
    "identity:delete_policy": "rule:cloud_admin",

-    "identity:change_password": "rule:owner",
    "identity:check_token": "rule:admin_or_owner",
    "identity:validate_token": "rule:service_admin_or_owner",
    "identity:validate_token_head": "rule:service_or_admin",
--- a/keystone/common/policies/user.py
+++ b/keystone/common/policies/user.py
@ -62,13 +62,7 @@ user_policies = [
        check_str=base.RULE_ADMIN_REQUIRED,
        description='Delete a user.',
        operations=[{'path': '/v3/users/{user_id}',
-                     'method': 'DELETE'}]),
-    policy.DocumentedRuleDefault(
-        name=base.IDENTITY % 'change_password',
-        check_str=base.RULE_ADMIN_OR_OWNER,
-        description='Self-service password change.',
-        operations=[{'path': '/v3/users/{user_id}/password',
-                     'method': 'POST'}])
+                     'method': 'DELETE'}])
 ]


--- a/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml
+++ b/releasenotes/notes/bug-1705485-7a1ad17b9cc99b9d.yaml
@ -0,0 +1,19 @@
+---
+upgrade:
+  - |
+    [`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
+    The `change_password` protection policy can be removed from file-based
+    policies. This policy is no longer used to protect the self-service
+    password change API since the logic was moved into code. Note that the
+    administrative password reset functionality is still protected via policy
+    on the `update_user` API.
+fixes:
+  - |
+    [`bug 1705485 <https://bugs.launchpad.net/keystone/+bug/1705485>`_]
+    A `previous change <https://review.openstack.org/#/c/404022/>`_ removed
+    policy from the self-service password API. Since a user is required to
+    authenticate to change their password, protection via policy didn't
+    necessarily make sense. This change removes the default policy from code,
+    since it is no longer required or used by the service. Note that
+    administrative password resets for users are still protected via policy
+    through a separate endpoint.